YARA Cheat Sheet
Pattern matching language to identify malware families, IOCs, and suspicious byte sequences in files and memory.
Overview
YARA rules describe strings and conditions to classify files. Used in malware analysis, SOC hunting, and scanning disk/memory dumps from Volatility or live response collections.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y yaraPython module
pip install yara-pythonEssential commands
Scan file with rule
yara rule.yar suspicious.exeScan directory recursively
yara -r rules/ /path/to/samples/Fast scan (skip slow modules)
yara -s rule.yar file.bin # print matching stringsCommon workflows
Basic rule —
rule Suspicious_PowerShell {meta:description = "Encoded PowerShell indicators"author = "analyst"strings:$a = "powershell" nocase$b = "-enc" nocase$c = "FromBase64String" nocasecondition:2 of them}yara -s ps.yar /mnt/evidence/Users/Scan with external rulesets —
git clone https://github.com/Yara-Rules/rulesyara -r rules/malware/ sample.zipCompile rules (faster repeated scans) —
yarac rule.yar rule.yarcyara rule.yarc /large/imageset/Memory / process dump —
yara -s malware.yar process.dmpvol -f mem.raw windows.memmap --pid 666 --dumpyara cobalt_strike.yar pid.666.dmpMetadata and modules —
yara -p 4 rule.yar file # process 4 threadsyara -x pe rule.yar file.exe # PE module for version checksFlags reference
-r | Recursive directories |
|---|---|
-s | Print matching strings |
-g | Print rule name per file |
-c | Count matches only |
-f | Fast mode (no stop on first) |
-m MODULE | Enable module (pe, elf, dotnet) |
-d VAR=val | External variable for rule |
yarac | Compile rules to binary |
Tips
- Use condition: uint16(0) == 0x5A4D for PE magic at start.
- Avoid overly broad strings — high false positives in Program Files.
- LOKI / THOR wrap YARA for enterprise scanning.
- Test rules against clean gold images before production hunts.